Hi everyone,

Regarding Fail-stop signature scheme, im not too sure how do you prove a forgery.

For example:

public key: y1 , y2
private key: a , b, c, d
generator: g
random number: r
modulo : p

y1 = g^a * r^b % p
y2 = g^c * r^d % p

With the above example, an unbounded adversary will be able to find a few sets of private keys that can get y1 & y2. However how do you prove a forgery this way?

So far my guess is to ask the signer to provide the correct private keys?

thanks in advance!